YGN Ethical Hacker Group Blog

The following web applications are found to have full path disclosure flaws (Ref: WASC-13, CWE-200). ----------------------------------------- htmlpurifier-4.2.0 phpids-0.6.5 PhpSecInfo 111WebCalendar-1.2.3 adodb aef-1.0.8 ATutor-2.0 auth b2evolution-3.3.3 bbpress-1.0.2 cftp-r80 claroline-1.9.7 clipbucket_2.0.9_stable_Fr cmsmadesimple-1.9.2 CodeIgniter_1.7.2 concrete5.4.0.5 concrete5.4.1.1 CopperminePhotoGallery-1.5.12 craftysyntax3.0.2 CubeCart-4.4.3 dokuwiki-2009-12-25c Dolphin-7.0.4 dotproject-2.1.4 drupal-7.0 e107_0.7.24 eggblog_4.1.2 elgg-1.7.6 ExoPHPDesk_1.2.1 eyeOS-2.2.0.0 fengoffice_1.7.2 freeway_1_5_alpha_Burstow frontaccounting-2.3.1 helpcenterlive-2.1.7 hesk-2.2 jcow.4.2.1 joomla-1.6.0 kamads-2_b3 kplaylist.1.8.502 lifetype-1.2.10 limesurvey190plus-build9642-20101214 linpha-1.3.4 mambo-4.6.5 mantisbt-1.2.4 moodle-2.0.1 mound-2.1.6 mybb-1.6 nucleus3.61 NuSOAP open-realty-2.5.8 OpenBlog-1.2.1 opencart_v1.4.9.3 opendocman-1.2.6-svn-2011-01-21 orangehrm-2.6.0.2 oscommerce-3.0a5 ...

1. OVERVIEW The Vanilla Forums 2.0.16 and lower versions were vulnerable to Cross Site Scripting. 2. BACKGROUND Vanilla Forums are open-source, standards-compliant, customizable discussion forums. It is specially made to help small communities grow larger through SEO mojo, totally customizable social tools, and great user experience. Vanilla is also built with integration at the forefront, so it can seamlessly integrate with your existing website, blog, or custom-built application. 3. VULNERABILITY DESCRIPTION The 'Target' parameter was not properly sanitized after user logs in, which allows attacker to conduct Cross Site Scripting attack. An attacker could prepare a link in a forum post that includes a link to a file which seems to require authentication. Upon logging in, user will get XSSed. 4. VERSIONS AFFECTED 2.0.16 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://vanilla/index.php?p=/entry/signin&Target=javascript:alert(document.cookie)//http:// 6. SOLUTION Upgrade to Van...

1. OVERVIEW The phpMyAdmin web application 3.4.0 beta 2 and lower versions of 3.4.x were vulnerable to Cross Site Scripting. 2. PRODUCT DESCRIPTION phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement. 3. VULNERABILITY DESCRIPTION The 'db' parameter in phpMyAdmin was not sanitized and an attacker can inject XSS string in 'db' field when creating or renaming a database. An attacker can create new database name or rename database name through several means like SQL Injection in user's vulnerable web applications or compromise of user account through brute-force or bypassing CSRF protection. Even though the phpMyAdmin use...

I just finished compiling a list of known flash XSS exploits in the past and created a fuzz page. http://yehg.net/lab/pr0js/pentest/flash-xsser.php Payloads are mixture of XSS and content spoofing via user provided inputs. Thus, new window approach is used. Diable your popup blocker and anti-XSS protection while testing.

======================================== Drupal 5.x, 6.x <= Stored Cross Site Scripting Vulnerability ======================================== 1. OVERVIEW Drupal 5.x and 6.x are currently vulnerable to Stored Cross Site Scripting. 2. BACKGROUND Drupal is a free software package that allows anyone to easily publish, manage and organize a wide variety of content on a website. Hundreds of thousands of people and organizations are using Drupal to power an endless variety of sites. 3. VULNERABILITY DESCRIPTION The 'site_footer', 'name', 'explanation' parameters are not properly sanitized in administration backend of Drupal 5.x and 6.x versions, which could allow attackers to conduct stored cross site scripting attacks. 4. VERSIONS AFFECTED The vulnerability was tested in Drupal version 5.23 and 6.20, currently latest versions of 5.x and 6.x families. The recent released version Drupal 7 seems to be not vulnerable. 5. PROOF-OF-CONCEPT/EXPLOIT => XSS in Footer (...

1. OVERVIEW The Joomla! 1.0.x series are currently vulnerable to Cross Site Scripting. 2. BACKGROUND Joomla! is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets. 3. VULNERABILITY DESCRIPTION The "ordering" parameter in a core module,com_search, is not properly sanitized and thus vulnerable to XSS. By leveraging this vulnerability, attackers can compromise currently logged-in user/administrator session and impersonate arbitrary user actions available under /administrator/ functions. As the vulnerability is based on the core module, it affects both classic and customized Joomla! 1.0.x based web sites. 4. VERSIONS AFFECTED Joomla! 1.0.x ~ 1.0.15 series 5. PROOF-OF-CONCEPT/EXPLOIT http://attacker.in/joomla1015/index.php?option=com_search&searchword=xss&searchphrase=any&ordering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:fixed;top:0;left:0;width:100%;height:100%;%22 6. SOLUTION Jo...

1. OVERVIEW The Geeklog was vulnerable to Cross Site Scripting in its administration backend. 2. BACKGROUND Geeklog is a PHP/MySQL based application for managing dynamic web content. "Out of the box", it is a blog engine, or a CMS with support for comments, trackbacks, multiple syndication formats, spam protection, and all the other vital features of such a system. 3. VULNERABILITY DESCRIPTION User supplied input is not probably sanitized in the "subgroup" and "conf_group" parameters when the configuration settings are saved in  /admin/configuration.php. Attackers who manage to get/bypass anti-csrf token (_glsectoken) via other means can effectively perform XSS against admin users. 4. VERSIONS AFFECTED 1.7.1 and lower 5. PROOF-OF-CONCEPT/EXPLOIT [Request] POST /geeklog/admin/configuration.php HTTP/1.1 _glsectoken=&conf_group=Core'"--></script><script>alert(/XSS/)</script>&subgroup='"--></script><sc...